CVE-2025-9071
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-08-29

Assigner: Switzerland Government Common Vulnerability Program

Description
Erroneously using an all-zero seed for RSA-OEAP padding instead of the generated random bytes, in Oberon microsystems AG’s Oberon PSA Crypto library in all versions up to 1.5.1, results in deterministic RSA and thus in a loss of confidentiality for guessable messages, recognition of repeated messages, and loss of security proofs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-08-29
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9071
EUVD
EUVD-2025-26195
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oberon_microsystems_ag oberon_psa_crypto 1.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-780 The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Oberon microsystems AG’s Oberon PSA Crypto library (versions up to 1.5.1) involves the incorrect use of an all-zero seed instead of a cryptographically secure random seed for RSA-OAEP padding. OAEP padding normally uses a random seed to ensure that encrypting the same message multiple times produces different ciphertexts, providing semantic security. However, using an all-zero seed makes the encryption deterministic, meaning identical plaintexts produce identical ciphertexts. This breaks the security guarantees of RSA-OAEP, allowing attackers to recognize repeated messages and compromising confidentiality for guessable messages. [1]

Impact Analysis

The vulnerability can lead to a loss of confidentiality for messages that are guessable, as attackers can identify repeated ciphertexts corresponding to the same plaintext. This deterministic encryption undermines the security of applications, protocol stacks, and SDKs that use RSA-OAEP for asymmetric encryption, potentially exposing sensitive data. However, key exchange protocols using RSA-OAEP are likely unaffected because the exchanged keys remain unpredictable. [1]

Detection Guidance

This vulnerability can be detected by identifying if your system or applications are using Oberon PSA Crypto library versions 1.0.0 through 1.5.1 unpatched, specifically checking for the use of RSA-OAEP encryption that produces deterministic ciphertexts due to an all-zero seed. Detection may involve inspecting the library version in use and analyzing RSA-OAEP encrypted messages for repeated ciphertexts from identical plaintexts. However, no specific detection commands are provided in the available resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Oberon PSA Crypto library to version 1.5.1 or later, where the issue has been fixed by applying the rsa_oaep_padding.patch. This upgrade ensures that a cryptographically secure random seed is used for RSA-OAEP padding, restoring confidentiality and security guarantees. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9071. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart